Feature Capture intruders

PTURE
CA S
RUDER Makefest 2017

INT uild a ho n eyp o

h
t,
o
l
d
u
s
re
em y. B eir m et
your e n tu d y th
Kno w s and s
ke r
in attac
Written by Pablo Gonzlez and Fran Ramrez.
Security Researchers at ElevenPaths
www.elevenpaths.com

20

AT A GLANCE
Set up a honeypot, p22
Learn how to set up a medium-interaction
SSH honeypot, which logs the entire shell
interaction and brute-force attacks.
What we used: Kippo (https://github.com/
desaster/kippo) and its fork called Cowrie.
Kippo and Cowrie (www.micheloosterhof.
com/cowrie) are easy to install and they
are the most popular over the internet
honeypots.
Processing the data, p24
Discover how to shape the attack and
attacker proile by analysing the data
rganisations are always innovating
O to maintain a proactive defence
against internet threats. To
achieve this they create real structures for
potential attackers in the hope of fooling
them into thinking that their attack is being
carried out against a real infrastructure. In
this feature we look at honeypots, which are
either software or a set of assets that tries
to seduce attackers by pretending to be a
vulnerable system and once attackers are
lured in, the honeypot studies the attack
behaviour to learn the latest techniques
that need to be countered.
Honeypots date back to the 1960s but
gained prominence when Clifford Stoll,
who managed computers at Lawrence
Berkeley National Laboratory in California
in the mid-1980s, published his account
of tracking down a West German hacker in
the book, The Cuckoos Egg: Tracking a Spy
Through the Maze of Computer Espionage.
Stolls honeypot was a fake university
department that he knew would tempt in an
intruder who was looking for iles to sell to
the KGB, but the principle is the same for
contemporary honeypots.
The scope of a honeypot varies depending
on the number of computers taking part in
the infrastructure. When several computers
are grouped together for this purpose, they
create a honeynet. To learn more about
honeynets, head to the Honeynet Project
(www.honeynet.org), a non-profit security
research organisation that contributes tools
and papers explaining how to develop your
own network of honeypots.
within the kippo.log ile and folders such
as log and tty.
What we used: Python script playlog.py
to display a real-time recorded attacker
shell interaction.
Visualise the data, p26
How to graphically see all the information
collected by Kippo and Cowrie in a
web browser.
What we used: Kippo-Graph (http://
bruteforcelab.com/kippo-graph) a script
to visualise statistics and any other data
from a Kippo or Cowrie honeypot.
Honeypots are classiied by two factors:
the honeypots target and the attackers
interaction. Depending on a honeypots
target, it will be focused on researching,
understanding and obtaining data that
enables an organisation or researcher to
analyse new attack trends accurately. This
analysis of what attackers target and the
source of attacks is incredibly valuable
data as it enables companies to understand
the risks that they face and inform, as
A honeypot is either software or a set
of assets that tries to seduce attackers
pretending to be a vulnerable system
well as anticipate, future investments in
security and indicating points of interest for
cyberattacks.
Another type of honeypot is located over
the production infrastructure to gather
information about the techniques used by
the attackers. This honeypot type provides
better results than others, but it involves
a higher risk since they are within the
organisation itself. Any breach or failure in
the honeypot setup could allow an attacker
to access the main network or critical
computers in the infrastructure.
The second factor in classifying a
honeypot is how it interacts with the
attacker. This interaction is set at three
levels: low, medium and high. At the low
Ethical hacking
This guide must be deployed for
investigation or to protect
an organisation only
Question: are you are inside a
honeypot?, p28
Learn how to identify if you are trapped in
a honeypot to improve your own designs.
What we used: Techniques to igure out
whether you are inside a virtual machine
that's being used as a honeypot and
identifying a honeypot using Shodan
(www.shodan.io) and an IP address.
IoT & ICS honeypots, p29
How a honeypot in an Industrial Control
System (IOC) works and the most common
honeypots that are used.
level, services, applications or systems are
always simulated and not real vulnerable
services. The true advantage of this
honeypot type is the simplicity involved
in the installation and setup while the
risk assumed by the corporate network
is low. The main disadvantage is its
limited capability to gather information.
In contrast, the relationship between
the breached system and the attacker is
higher in medium-level honeypots. Services
that respond similarly to the real ones
are simulated, allowing access to fake
resources such as SSH or FTP servers. They
are often used to catch malware or simulate
vulnerabilities from a specific service. As a
consequence, the gathering of information
and data about the attackers behaviour
increases signiicantly in this type of
interaction. Finally, high-level honeypots
are built with real computers and operating
systems using actual services. They are
classiied as high risk because an attacker
could use the computers to perform actions
against the organisation. On the other hand,
it does enable data and attacker behaviour
to be gathered unrestricted and the study of
such data is incredibly valuable.
www.linuxuser.co.uk 21
Feature Capture intruders
Below Honeypots are classified by two
main factors: the honeypots target
and the attackers level of interaction
Research
According to
the target
Production
Honeypots
classification
Low
Based on Medium
interaction
High
For a better understanding of the honeypot concept, lets
install an example one with a medium-interaction level.
On this occasion were using Kippo, because it offers an
easy and educational way to understand the basics of
how a simple honeypot layout works. Kippo is easy to
deploy, and many other honeypots are based on Kippos
design, such as Cowrie (see p28). Kippo works on most
current Linux distributions, but Ubuntu 16.04 was used for
these examples.
Install Kippo and set up
There are several ways to install Kippo on our computer.
But first you will need to install some dependencies to
meet the requirements:
apt-get install python-dev openssl python-
openssl python-pyasn1 python-twisted
One way to install Kippo is to download it directly from the
GitHub repository by running:
git clone https://github.com/desaster/kippo
You can also install Kippo by using Subversion. If you dont
have it installed, just type apt-get install subversion
and then download the latest version with:
svn checkout http://kippo.googlecode.com/svn/
trunk/ ./kippo
22
Allows the analysis of the data gathered
Helps in discerning the risk and
anticipating countermeasures needed
Gathers better information about the
techniques used by the attackers
Higher risk because the honeypots are
located within an organisation
Simulated systems
Simplicity
Limited information gathered
Allows access to fake resources
Simulates a speciic service
Supplies more data about the attack
Real computer systems
Higher risk to organisation
Most complete and useful data gathered
from the attack
QUICK GUIDE
What is Kippo?
Kippo simulates an SSH service thats available
on the internet with a root password thats easily
discoverable, e.g. 123456, using a basic password
dictionary. Kippo is written in Python (and Python
2.5+ is needed) and Twisted, which is a network
library developed by MIT. Kippo logs all the access
attempts to the fake SSH service, including brute-
force attacks and any shell interaction thats
performed by the attacker. It also stores all typed
commands and all files uploaded to the server.
Dont forget to change your location to the directory where
Kippo was installed.
First, lets cover Kippos configuration. Its the key file
as it provides flexibility and personalisation of the final
Kippo setup. The config file is called kippo.cfg.dist and
should be copied or renamed as kippo.cfg. In Figure 1,
Kippo has been set on port 2223. Later on, an iptables
rule will need to be applied to forward all the incoming
traffic that goes to port 22 to 2223. In this way, when an
attacker scans the IP address, theyll find an SSH service
on port 22 thats really our honeypot:
[sudo] iptables -t nat -A PREROUTING -p tcp
--dport 22 -j REDIRECT --to-port 2223
Kippos folders of interest
Before exposing the honeypot to the internet and starting
to collect attacker information, its necessary to list the
folders where Kippo will keep the data collected. The first
folder is called data. This will store all the SSH public
keys used by Kippo. This folder is where two text files
are stored too. The first one is called lastlog.txt, which
records the IP address, date and how long an attackers
activity lasted after logging into the system using the
root account. This information is very useful and will be
the first to be analysed in the during the information
processing (see p24).
The second file is named userdb.txt and stores
users and their passwords that are allowed to access
the system. The format of userdb.txt must match the
following settings:
Username:UID:PlainText Password
Another important Kippo folder is dl. This stores any
files uploaded by an attacker, once the system is
compromised. This enables us to retrieve and assess
any possible malicious files to identify any known or new
malware and understand the behaviour being logged.
The better we simulate
the Linux folder structure,
the longer the attacker
will remain working on
our honeypot
Our third folder is called honeyfs stores all the folders
and files that are shown to the attacker. Folders such
as etc and proc are already in honeyfs and inside each
folder youll find some files of interests for the attacker,
but all of them are only text files.
To make the honeypot feel more realistic and attractive
to a potential attacker, we can create other folder
structures inside honeyfs. The better we simulate the
Linux folder structure, the longer the attacker will remain
inside our honeypot and we will get better results.
The fourth and final folder we will highlight is log.
This folder is critical for processing all the information
collected by your honeypot and reaching conclusions
about an attack. The longer a honeypot is exposed to
the internet, the better the quality of the information
will be that it collects. The file kippo.log and the folder
tty sit inside the log folder. The tty folder records all the
interactive sessions made by the attackers. These files
should be processed to obtain a better understanding of
the behaviour and goals of the attackers.
The kippo.log file stores unauthorised access
attempts, connection attempts and all commands typed
by an attacker during a session. This file must be
Figure 1
Above An example of
HOW TO kippo.cfg, where the
SSH port has been
Customise Kippo set to port 2223 by
changing the value of the
The primary coniguration ile where we can enter ssh_port variable
values for all the directives and customise Kippo
is called kippo.cfg.dist (kippo.cfg). This includes,
listening ports for incoming SSH connections and
the location for iles uploaded by an attacker:
ssh_addr: Shows the network interface where
Kippo will be listening for all the requests.
ssh_port: Kippos listening port. The preference
would be to set this to port 22, although you
should run Kippo as root or sudoer.
hostname: Shows the computers name the
attacker will see once they gain access. Try using
appealing names such as PayrollPC.
log_path: The path where the log ile will be
stored for recording all actions and events taking
place on the computer. This info will be stored in
the kippo.log file; a folder called tty will store all
session logs and is useful for analysis afterwards.
download_path: The path to the folder where all
the files uploaded by the attacker will be stored.
By default, this option is set to 0 (no limit).
download_limit_size: Sets the maximum size for
any file that can be downloaded by the attacker.
content_path: The path where the virtual
files are stored. By default, the path is set to the
honeyfs folder, which also contains etc and proc.
txtcmds_path: The path to the folder where
the output of programs executed is stored. If the
attacker runs the command ifconig, we could
create a file ifconfig and put inside output to be
displayed. By default, the path is txtcmds.
exec_enabled: This enables the option to
run commands on the computer using ssh
execCommand, which is disabled by default.
Enabling this creates a bigger risk to your setup.
ssh_version: Indicates what version of SSH to
display, which is output in string format.
www.linuxuser.co.uk 23
Feature Capture intruders

QUICK GUIDE DMZ

Where to place a honeypot?
Honeypots can be located in many positions HONEYPOT 1 HONEYPOT 2 HONEYPOT 3
within a network. A first layer could be honeypots
connected directly to the internet (and the first
to face any possible attack). A second layer is to
locate honeypots in the DMZ (demilitarized zone),
where an organisations external-facing services
Below A general
layout using several
are exposed to the internet this is the most
honeypots in a network common layout used. A third layer would be to
and their location on the install the honeypots behind a irewall, conigured
DMZ network
as a normal service of the real network.

DNS SERVER WEB SERVER

INTERNET ROUTER FIREWALL

handled and analysed during the information processing

stage due to the large volume of data collected. It will not
only record any successful access by an attacker but any
attempts that are made. Note: if needed, its possible
to stop Kippos execution using the script ./stop.sh
and killing the process, which is called twistd, using the
kill command.

Running Kippo in the background

We dont recommended using the root account to run
Kippo in the background. Its better to create a Kippo
account instead:

useradd -d /home/kippo -s /bin/bash -m kippo

-g sudo LAN
To start Kippo in a computer with connectivity and understand the data. Later on, we will see how to process
exposed to the internet, run the script with ./start.sh. this information visually using Kippo-Graph (see p26),
This simple script, written in Bash, will enable but before that its important to familiarise yourself with
QUICK TIP you to run Kippo in the background using twistd. relevant files and folders related to the logs. Weve already
Faking it Furthermore, you can always run in manual mode using mentioned the log folder, where the crucial kippo.log
The typical the following commands: file is located. This file records all the activity related
folders found to connection attempts to our honeypot. If the attacker
in a real Linux twistd -y succeeds in accessing the system, this will look like the
environment kippo.tac -n following record:
under the /
directory are: Running the following command, you will get a list of 2017-07-07 02:48:31+0200 [SSHService ssh-
/bin, /boot, /dev, the Kippos processes running in background (twistd userauth on HoneyPotTransport,327,72.X.XX.XXX]
/etc, /home, /lib, is running the honeypot in the background): ps aux | root trying auth password
/media, /mnt, grep kippo. To stop the process, run the following script: 2017-07-07 02:48:31+0200 [SSHService ssh-
/opt, /sbin, /srv, ./stop.sh. This will stop Kippos execution, but its always userauth on HoneyPotTransport,327,72. X.XX.XXX]
/tmp, /usr, /var, possible to halt the process using the kill command login attempt [root/123456] succeeded
/root, /proc. over the twistd process. Once we get enough information 2017-07-07 02:48:31+0200 [SSHService ssh-
collected by the honeypot, its now time to process and userauth on HoneyPotTransport,327,72. X.XX.XXX]

24
root authenticated with password
2017-07-07 02:48:31+0200 [SSHService ssh-
userauth on HoneyPotTransport,327,72. X.XX.XXX]
starting service ssh-connection
Note that the user and password are clearly visible on
the record:
HoneyPotTransport,327,72.X.XX.XXX] login
attempt [root/123456] succeeded
And that rejected attempts are displayed too, with the
same information:
2017-07-08 08:09:21+0200 [SSHService ssh-
userauth on HoneyPotTransport,1043,125. X.XX.XXX]
usuario trying auth password
2017-07-08 08:09:21+0200 [SSHService ssh-
userauth on HoneyPotTransport,1043,125. X.XX.XXX]
login attempt [usuario/usuario] fa$
2017-07-08 08:09:22+0200 [-] usuario failed auth
password
2017-07-08 08:09:22+0200 [-] unauthorized
login:
The tty folder, as we mentioned before, is only interested
in successful attacker attempts and will store the
complete session. This information includes all the
shell commands that were typed by the attacker. This
information is important for analysing the type of the
attack and all the steps taken in the attack. Its possible
to open the log files within tty using any plain text editor,
but a useful tool is already included in Kippo called
playlog.py. This script helps to get a better visualisation
of the information. Youll find this script in the kippo/utils
folder and it uses a compatible UML (Unified Modeling
Language) format for easy replay with original timings.
Once this script is executed with a tty log file as a
parameter, it will run an animation showing the step-by-
step approach taken by an attacker while displaying the
same screen output as the attacker.
Another important folder to analyse is /kippo/dl. This
folder has all the files uploaded by all the attackers
that accessed the honeypot. Every file thats uploaded
has a name based on the date and URL where it was
downloaded. The lastlog.txt ile, located in kippo/data/,
is another important file thats useful for analysing attack
information. This file records all the access attempts that
have been made against the honeypot. This file will keep
such information as the IP address, date, hour and so on
(see below):
root pts/0 27.X.XX.XXX Thu Jul 06 19:11
- 19:11 (00:29)
root pts/0 170.X.XX.XXX Thu Jul 06
19:12 - 19:13 (00:27)
root pts/0 101.X.XX.XXX Thu Jul 06 19:20
- 19:21 (00:33)
root pts/0 186.X.XX.XXX Thu Jul 06
19:24 - 19:25 (00:28)
Above Heres a capture
example. This playlog.py
QUICK GUIDE script is running a log
file from the command
Honeypots: What are the line. All the commands
displayed were executed
ethical and legal issues? by the attacker
There is some controversy around the ethics
and legal implications of using honeypots. Some
experts believe honeypots dont help security,
since they can help attackers practise and learn
new techniques and generally hone their skills for
attacking any site. Some even consider honeypots
as illegal, if the honeypot infrastructure is
built intentionally as an entrapment to catch
attackers. This concern involves some issues
related to privacy, because somebody accessing
your honeypot could have legal rights (depending
on the country where you place the honeypot) and
this can limit the information that you can harvest
from the attackers.
Its important to distinguish between two
types of information when collecting data:
content and transaction. The content data is
the most important because it involves personal
information such as emails, chats and even
keystrokes made by the attacker. Transaction
data is related to the connection information,
such as IP address, access date, time and so
on. Kippo can collect both types of data, but to
avoid legal issues, your honeypot setup must
be deployed for investigation or to protect your
organisation only. Another good idea is to place
a warning banner disclosing that your site is
being monitored.
www.linuxuser.co.uk 25
Feature Capture intruders

Kippo-Graph is a script created to visualise all the overall information, such as: the total number of access
QUICK TIP information harvested by Kippo SSH Honeypot. It uses attempts; number of different IPs that tried to access
File hunt some modules and APIs, such as Googles Visualization the honeypot; and the activity timeframe where all the
The files passwd API for maps and Libchart PHP for drawing charts, information was registered. The next section, called
and shadow, in to create several graphs and statistics based on all Input, manages all the information that was registered by
the etc folder, are the attackers registered by the honeypot. Most of the keystrokes made by attackers. The first graph displayed
the most wanted information managed by Kippo-Graph is located in in the section shows all the human activity inside the
by the attackers a MySQL database (the rest of the data collected is Honeypot. In this way, Kippo-Graph can estimate and
because these located in the log files) and it connects directly to all the present how many attacks were made by humans or how
files store MySQL tables using the parameters configured in the many were automated. The table called Top 10 successful
essential conig.php file. input shows the top ten commands run successfully by
information Kippo-Graphs current version can show several the attackers once they gained access to the honeypot.
related to the types of graphs (such as pie chart, column chart and so Theres a special follow-up to the wget command to trace
users and their on) and presents information about, for example, top any file that the attacker was able to download from
passwords. ten passwords used by attackers, top ten usernames, the honeypot.
IP connections, connections by countries and much The next section, Playlog, shows off the most
more. All the information displayed can be exported interesting feature of Kippo-Graph. This presents
Below This table displays
one successful access to CSV format for further processing by any other log a step-by-step replication (like a frame-by-frame
and several failed analyser application. animation) of all the activity related to an attack.
attempts that registered In Kippo-Graphs first section, called Overview, we Basically, this section does the same thing as the
in our session, seen
in the Kippo-Graph can see a summary of all the data highlights stored by playlog.py script (see p24), but this time it runs over
Network section Kippo. In the section header, it shows some important the Kippo-Graph website. It also shows detailed data

IP address Geolocation Sessions count Success Last seen

58. X.XX.XXX Wuhan, China 1 1 2017-07-11 07:59:26

103. X.XX.XXX Shanghai, China 71 0 2017-07-11 08:06:46

HOW TO
Download, install and set up Kippo-Graph

01 Get the prerequisites

Kippo-Graph is accessed from
the web browser, so you need to install an
02
Apache server (sudo apt -get update
followed up by sudo apt -get install
apache2) and some PHP extra packages for
it work properly:
sudo apt-get update && apt-get
install -y libapache2-mod-php5 php5-
mysql php5-gd
Install Kippo-Graph (GitHub)
The quickest way to get up and
running with Kippo-Graph is by cloning the
GitHub repository. Install Git with:
sudo apt-get install git
if you dont have it already, followed by:
git clone https://github.com/
ikoniaris/kippo-graph.git
03 Install Kippo-Graph (manually)
Another way to install Kippo-Graph
is to download the latest version with:
wget http://bruteforcelab.com/wp-
content/uploads/kippo-graph-1.5.1.tar.gz
sudo mv kippo-graph-1.5.1.tar.gz /var/
www/html
cd /var/www/html
sudo tar zxvf kippo-graph-1.5.1.tar.gz
sudo mv kippo-graph-1.5.1 kippo-graph

26
focused on the attacker and sessions, such as in the
following example: HOW TO
Analysing the files uploaded
Information about the attacker and session:
Session ID: 8816a99665ff11e79f03020000f0e954 by the attackers
As a part of the post-attack analysis, we need
Timestamp: 2017-07-11 06:09:46 (10.5 minutes)
to look at the dl folder and find possible files
Attackers IP: 195.X.XX.XXX
uploaded by the attackers. Most of these files
Number of sessions for the attackers IP: 1
will have some type of malware or tools to exploit
Number of times the attackers IP have been
system vulnerabilities. This info will help us to
seen: 1
understand the type of the attack made against
Total login attempts: 2
the honeypot and to learn how to protect our real
SSH credentials: root / 123456
infrastructure. The first part of the analysis should
Total number of input commands: 4 (0 failed
be to send iles through an online analysis service
commands)
for example, VirusTotal (www.virustotal.com).
This service can detect viruses, worms, Trojans
It also shows detailed technical info about the attackers
and other malware by just uploading the ile to
IP and a map locating the attacker via IP geolocation.
the website or pasting the URL (or IP if we want
The Network section displays a summary table with
to check an internet location). VirusTotal has 56
all the IP addresses registered by the honeypot. It also
different types of antivirus and 61 engines, as well
contains geolocation, sessions made, successfully
as other tools that can be installed in browsers,
sessions and the date of the latest attempt made. Clicking
smartphones or Windows. It acts like a sandbox
on any of the sessions yields more information about it,
(an environment totally isolated to simulate the
such as username and password used for access.
ile execution within the operating system) and
The Geoip section displays geolocation information
allows you to run the file and check its behaviour
related to attackers over a layer of Google Maps, but its
and consequences of running it. There are other
also possible to analyse the IP registered using some
services worth investigating that act as sandboxes
online services that check their trustworthiness and if
to check files, such as ThreatExpert (www.
they are registered as potentially dangerous sites. Some
threatexpert.com) and Malwr (https://malwr.com).
of these online services used in Kippo-Graph are McAfee
and VirusTotal.

Right The details tab not

only shows changes to
a file but allows you to
revert to older versions
of it.

04 Preparing Kippo-Graph
Copy the folder cloned or copied in
Step 2 or 3 to /var/www/html, then change
to that folder with cd /var/html/kippo-
graph-1.5.1/. Next, set up full read, write
and execute permissions to the generated-
graphs folder with sudo chmod 777
generated-graphs. Finally, config.php.dist
must be copied to config.php before
making any changes to it with: sudo mv
conig.php.dist conig.php.
05 Configuring Kippo-Graph
The coniguration ile config.
php has many parameters that can be
changed, but lets focus on a few signiicant
ones: DB_HOST must be set to localhost
or 127.0.0.1; DB_USER is the MySQL user
created for Kippo, DB_PASS is the MySQL
password, DB_NAME is Kippos database
name; and finally, DB_PORT is the port
connection to the database (by default
this is 3306).
06 Accessing Kippo-Graph
Once all the changes to the
config.php file have been made to your
satisfaction, you will need to restart
the Apache service in order to apply
the new coniguration values. Once this is
done, open your web browser and type the
following: http://<yourIPorServer>/kippo-
graph. At this point, you will see the main
Kippo-Graph web page with your honeypot's
activity overview, as displayed above.

www.linuxuser.co.uk 27
Feature Capture intruders

EXTERNAL NETWORK HOSTS COMMON PROTOCOLS HOW TO

(BUSINESS OR PLANT NETWORK)
T-Pot: the multi-platform
honeypot system
DMZ APPLICATIONS COMMON PROTOCOLS

PATCH DEPLOYMENT SERVER HISTORIAN

SUPERVISORY CONTROL ELEMENTS COMMON & INDUSTRIAL
(NETWORK, APPLICATIONS, SERVERS) PROTOCOLS

01 Introducing T-Pot
T-Pot combines honeypots Conpot,
Cowrie, Dionaea, ElasticPot, eMobility, Glastopf
ENGINEERING ALARM SERVERS HMI APPLICATION HISTORIAN
WORKSTATION SERVERS and honeytrap with Suricata (a network-
monitoring security engine). It visualises the
collected data with ELK stack (Elasticsearch,
CONTROL ELEMENTS (PLCs RTUs, SIS) INDUSTRIAL PROTOCOLS Logstash and Kibana), which has a beautiful
visualisation engine. T-Pot runs every daemon
in a Docker container for good insolation.

REMOTE
SUPPORT

SENSORS & ACTUATORS IO FIELDBUS USING

INDUSTRIAL PROTOCOLS

Above A diagram of a
02 Requirements and installation
T-Pot can be installed on a physical
computer or in a VM using different setups.
typical industrial network
Kippo is a good learning environment. It has been one To avoid any issues during installation make
of the most-used honeypots for a long time now, but sure your system meets the following spec:
as its not as regularly updated, the chances of it being 4GB RAM (8GB recommended), 64GB hard disk
detected by an attacker are greater. Now were familiar (128GB recommended) and a working internet
with the concepts, we need a more secure environment, connection. Installing T-Pot is easy: just download
so lets move on to Cowrie. Fortunately, migrating from the ISO ile from http://community-honeypot.de/
Kippo to Cowrie is very easy because its a fork of Kippo. tpot.iso and run it in your designated setup.
In addition, Cowrie provides a host of new features such
as SFTP and SCP file uploads, SSH exec commands
support, JSON format for log files and more. Cowrie
is regularly updated and frequently patched, and as
Cowrie is virtually the same as Kippo, its 100 per cent
compatible with Kippo-Graph, too.
Cowrie has a similar folder and file setup to Kippo. The
dl, data, bin, honeyfs and txtcmds folders perform the
same function as Kippo. The log folder has almost the
same files as Kippo, but the main configuration file for
Cowrie is called cowrie.cfg.dist. As we did with Kippo, this
file must be copied and renamed cowrie.cfg. Cowries new
03 Running T-Pot
The install takes about 30 minutes and
will reboot. The user is tsec and youll need to the
features add some new config files, such as fs.pickle for a password you chose during install. All honeypots,
fake filesystem, which is allocated to the data folder, and depending on the type of setup chosen, will start
cowrie.json which stores log records in JSON format. automatically. To access T-Pot from the browser,
Youll also need to install a few dependencies: type https://<your.ip>:64297 and log in with
your credentials. Head to https://github.com/
apt-get install git python-virtualenv dtag-dev-sec/tpotce for more details.
libmpfr-dev libssl-dev libmpc-dev libfi-dev

28
build-essential libpython-dev python2.7-minimal
authbind
As we did with Kippo, its recommended to create a
separate user account for Cowrie and not use root.
Installing Cowrie
You can clone Cowrie from the GitHub repository:
git clone https://github.com/micheloosterhof/
cowrie
Cowrie configuration is almost a drop-in replacement for
Kippo, but we need to make a few changes in cowrie.cfg:
# JSON based logging module
[database_jsonlog]
logile = log/cowrie.json
# Enables passing commands using ssh
execCommand
# e.g. ssh root@localhost <command>
# (default: false)
exec_enabled = true
# sftp_enabled enables the sftp subsystem
sftp_enabled = true
To start Cowrie is pretty much the same as Kippo, so cd
cowrie/ followed by ./start.sh.
Are you in a honeypot?
There are techniques and tools that you can use to
detect whether youve stumbled into a honeypot
yourself. These can detect if we are in any interaction
level of a honeypot, from the lowest to the highest.
One technique involves checking to see if were
within a virtual computer environment. Of course,
youll find other real servers configured over virtual
environments, but its less common for servers located
in network zones, such as the DMZ (critical servers are
often built on real physical computers). One method for
checking for a VM is to check the drivers and hardware
configuration. Graphics cards, networks cards and IDE
devices are the same for these types of environments.
For instance, VMware has graphics cards named
VMWAre Inc [VMWare SVGA II] PCI Display adapter.
The MAC address can also give us a clue.Addresses
beginning with 00-1C-14-XX-XX-XX, 00-0C-29-XX-XX-
XX, 00-50-56-XX-XX-XX or 00-05-69-XX -XX-XX belong module, CP 443-1, which has an Ethernet connection.
to VMware according to the IEEE records.
Another technique is to check the messages returned
by the services that we are analysing. For example,
its possible to detect Kippo by sending unexpected
data to the SSH service and checking the returned
error messages or version. If those error messages are
non-standard SSH, we are trapped in a Kippo honeypot.
Thats the reason why its very important to customise
our honeypot to make it appear as a real as possible.
The lower the interaction level, the easier it will be to
detect a honeypot. Environments with a high level of
interaction are the most difficult to detect since they
offer real services instead simulated ones.
QUICK TIP
Metasploit has some modules that can detect whether Pi pots
or not you are dealing with a honeypot and even has a The Raspberry
Kippo SSH Honeypot Detector that uses the returned Pi is an easy
messages method described above. Using the search and cheap
engine Shodan (https://honeyscore.shodan.io), its also platform to
possible to find out if an IP address is a honeypot without deploy any kind
even connecting to it. of honeypot. Due
to its small size
Honeypots to protect ICS and IoT devices and portability,
IoT and ICS (industrial control system) environments a Pi is perfect
are increasingly suffering more attacks. Critical for simulating
infrastructure, such as dams and power grids, is a fake Wi-Fi
threatened by this type of attack. Stuxnet is the access point.
best-known case of an attack on an ICS in this case,
a nuclear plant in Iran and attack techniques are
becoming more sophisticated, so using honeypots
is a good way to stop and study attacks before they
can affect the real facilities. ICSes are often made up
of several components, such as SCADA (supervisory
control and data acquisition), PLC (programmable logic
controller), RTU (remote terminal units) and HMI (human-
machine interfaces). An ICS will also have its own internal
computer network for services such as email, web
services and so on. Therefore, its possible to install some
honeypots within the industrial network to simulate any
of these services or tasks. There are honeypots designed
Environments with a high level of
interaction are the most difficult to
detect since they offer real services
instead of simulated ones
to emulate specific features, products and infrastructure.
For example, Honeyd (www.honeyd.org) simulates
industrial devices that work using an IP address (e.g.
Modbus and Ethernet) and can even simulate RS232
serial communication connections. In contrast, Conpot
(http://conpot.org) drills down to specific devices. Its
a low-interaction honeypot and simulates Siemenss
SIMATIC S7-200 PLC model and an input and output
Due to the large size of ICS networks, sometimes its
necessary to use honeynets to simulate whole industrial
environments to attract the right kind of attackers. So
scaling up, Gridpot (https://github.com/sk4ld/gridpot)
simulates SCADA power grids by using a combination of
Conpot and GridLAB-D electrical grids.
Honeypots are pre-empting potentially life-threatening
attacks in the future and it's fascinating to know that
across the internet right now there are vast virtual
installations humming away in simulated activity waiting
to draw in and analyse every action of cyber criminals.
www.linuxuser.co.uk 29